Hackers who breached Google’s network in 2010 obtained access to the company’s system for tracking surveillance requests from law enforcement, according to a news report.

The hackers gained access to a database that Google used to process court orders from law enforcement agencies seeking information about customer accounts, including classified FISA orders that are used in foreign intelligence surveillance investigations, according to the Washington Post.

The database contained years’ worth of information on law enforcement surveillance orders issued by judges around the country. The hackers were hoping to discover if law enforcement agents were investigating undercover Chinese intelligence operatives who were working out of the U.S.

The news confirms rumors that circulated at the time of the breach that Google’s hackers had gained access to this system.

“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” a former U.S. official told the Post.

Google stunned the security community in January 2010 when it became the first U.S. company to publicly announce that it had been hacked. The company said at the time that the intruders had stolen source code and were also trying to obtain access to the Gmail accounts of Tibetan activists.

Google wasn’t the only company that was hacked in 2010. Minutes after Google announced its intrusion, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had also been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.” Eventually, reports surfaced that the attackers had targeted more than 30 companies, including financial institutions and defense contractors, seeking source code and other data. The attackers targeted source code management systems, which would have given them the ability to steal source code as well as modify it to make customers who use the software vulnerable to attack.

The sophisticated Google breach was traced to China and prompted Google to announce plans to stop censoring Google search results in that country. The breach also led Secretary of State Hillary Clinton to publicly condemn the intrusion and call on China to explain itself over the breach.

Asked by Wired at the time if its system for processing law enforcement surveillance requests was breached, a Google spokesman declined to answer.

But according to the Post, the breach launched a months-long dispute between Google and the Justice Department over the latter’s request to view logs and other forensic information about the breach. The Post doesn’t say what Google provided law enforcement.

The news comes weeks after a senior Microsoft official disclosed during a conference presentation last month that Chinese hackers had targeted his own company around the same time that Google had been hacked. He noted that the attackers had been trying to determine which Microsoft accounts were under surveillance by law enforcement. He suggested this had been their goal in hacking Google as well.

“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” David W. Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, said at the time.

The Post notes that Microsoft disputes that its servers were breached in the 2010 wave of attacks that struck Google and other companies. But Aucsmith never said the company was breached, just that it was targeted, suggesting that an attempt may have been made to breach the system but was either unsuccessful or was caught before the hackers could gain entry.

[2010] Google Hack Attack Was Ultra Sophisticated

“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”

...

Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack originated from China, the company said.

The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity, according to Alperovitch.

“The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.”

The hack attacks, which are said to have targeted at least 34 companies in the technology, financial and defense sectors, have been dubbed “Operation Aurora” by McAfee due to the belief that this is the name the hackers used for their mission.

The name comes from references in the malware to the name of a file folder named “Aurora” that was on the computer of one of the attackers. McAfee researchers say when the hacker compiled the source code for the malware into an executable file, the compiler injected the name of the directory on the attacker’s machine where he worked on the source code.

Minutes after Google announced its intrusion, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had also been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

In the wake of Threat Level’s Thursday story disclosing that a zero-day vulnerability in Internet Explorer was exploited by the hackers to gain access to Google and other companies, Microsoft published an advisory about the flaw that it already had in the works.

McAfee has added protection to its products to detect the malware used in the attacks.

Although the initial attack occurred when company employees visited a malicious website, Alperovitch said researchers are still trying to determine if this occurred through a URL sent to employees by e-mail or instant messaging or through some other method, such as Facebook or other social networking sites.

Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system, like Russian nesting dolls, flowing one after the other.

“The initial piece of code was shell code encrypted three times and that activated the exploit,” Alperovitch said. “Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”

One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network, Alperovitch said, to search for login credentials, intellectual property and whatever else they were seeking.

McAfee obtained copies of malware used in the attack, and quietly added protection to its products a number of days ago, Alperovitch said, after its researchers were first brought in by hacked companies to help investigate the breaches.

Although security firm iDefense told Threat Level on Tuesday that the Trojan used in some of the attacks was the Trojan.Hydraq, Alperovitch says the malware he examined was not previously known by any anti-virus vendors.

[Update: McAfee did not provide information on the code it examined until after this story published. Researchers who have since examined Hydraq and the malware McAfee identified in the attack say the code is the same and that Hydraq, which Symantec identified only on Jan. 11, was indeed the code used to breach Google and others.]

iDefense also said that a vulnerability in Adobe’s Reader and Acrobat applications was used to gain access to some of the 34 breached companies. The hackers sent e-mail to targets that carried malicious PDF attachments.

Alperovitch said that none of the companies he examined were breached with a malicious PDF, but he said there were likely many methods used to attack the various companies, not just the IE vulnerability.

Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan. Alperovitch wouldn’t identify the systems in the United States that were involved in the attack, though reports indicate that Rackspace, a hosting firm in Texas, was used by the hackers. Rackspace disclosed on its blog this week that it inadvertently played “a very small part” in the hack.

The company wrote that “a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”

Alperovitch wouldn’t say what the attackers might have found once they were on company networks, other than to indicate that the high-value targets that were hit “were places of important intellectual property.”

iDefense, however, told Threat Level that the attackers were targeting source-code repositories of many of the companies and succeeded in reaching their target in many cases.

Alperovitch says the attacks appeared to have begun Dec. 15, but may have started earlier. They appear to have ceased on Jan. 4, when command-and-control servers that were being used to communicate with the malware and siphon data shut down.

“We don’t know if the attackers shut them down, or if some other organizations were able to shut them down,” he said. “But the attacks stopped from that point.”

Google announced Tuesday that it had discovered in mid-December that it had been breached. Adobe disclosed that it discovered its breach on Jan. 2.

Aperovitch says the attack was well-timed to occur during the holiday season when company operation centers and response teams would be thinly staffed.

The sophistication of the attack was remarkable and was something that researchers have seen before in attacks on the defense industry, but never in the commercial sector. Generally, Alperovitch said, in attacks on commercial entities, the focus is on obtaining financial data, and the attackers typically use common methods for breaching the network, such as SQL-injection attacks through a company’s web site or through unsecured wireless networks.

“Cyber criminals are good … but they cut corners. They don’t spend a lot of time tweaking things and making sure that every aspect of the attack is obfuscated,” he said.

Alperovitch said that McAfee has more information about the hacks that it’s not prepared to disclose at present but hopes to be able to discuss them in the future. Their primary goal, he said, was to get as much information public now to allow people to protect themselves.

He said the company has been working with law enforcement and has been talking with “all levels of the government” about the issue, particularly in the executive branch. He couldn’t say whether there were plans by Congress to hold hearings on the matter.

Matéria Washington Post

“If you think about this, this is brilliant counterintelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case [Microsoft].”

By Ellen Nakashima, Published: May 20

Chinese hackers who breached Google’s servers several years ago gained access to a sensitive database with years’ worth of information about U.S. surveillance targets, according to current and former government officials.

The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies.

It’s unclear how much the hackers were able to discover. But former U.S. officials familiar with the breach said the Chinese stood to gain valuable intelligence. The database included information about court orders authorizing surveillance — orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google’s Gmail service.

“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” said one former official, who, like others interviewed for this article, spoke on the condition of anonymity to discuss a highly sensitive matter. The official said the Chinese could also have sought to deceive U.S. intelligence officials by conveying false or misleading information.

Although Google disclosed an intrusion by Chinese hackers in 2010, it made no reference to the breach of the database with information on court orders. That breach prompted deep concerns in Washington and led to a heated, months-long dispute between Google and the FBI and Justice Department over whether the FBI could access technical logs and other information about the breach, according to the officials.

Google declined to comment for this article, as did the FBI.

Last month, a senior Microsoft official suggested that Chinese hackers had targeted the company’s servers about the same time that Google’s system was compromised. The official said Microsoft concluded that whoever was behind the breach was seeking to identify accounts that had been tagged for surveillance by U.S. national security and law enforcement agencies.

“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” David W. Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, said at a conference near Washington, according to a recording of his remarks.

“If you think about this, this is brilliant counterintelligence,” he said in the address, which was first reported by the online magazine CIO.com. “You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case.”

Microsoft now disputes that its servers had been compromised as part of the cyberespionage campaign that targeted Google and about 20 other companies. Aucsmith, who cited that campaign in his remarks, said in a statement to The Washington Post that his comments were “not meant to cite any specific Microsoft analysis or findings about motive or attacks.”

The U.S. government has been concerned about Chinese hacking since at least the early 2000s, when network intrusions were discovered at U.S. energy labs and defense contractors. The FBI has for years led a national security investigation into Chinese cyberespionage, some of which has been linked to the Chinese military.

The Chinese, according to government, academic and industry analysts, have stolen massive volumes of data from companies in sectors including defense, technology, aerospace, and oil and gas. Gen. Keith B. Alexander, the director of the National Security Agency, has referred to the theft of proprietary data as the “greatest transfer of wealth in history.”

The Chinese emphatically deny that they are engaged in hacking into U.S. computer systems and have said that many intrusions into their own networks emanate from servers in the United States.

“The Chinese government prohibits online criminal offenses of all forms, including cyber attack and cyber espionage, and has done what it can to combat such activities in accordance with Chinese laws,” a Chinese Embassy spokesman, Yuan Gao, said in an e-mail. “We’ve heard all kinds of allegations but have not seen any hard evidence or proof.”

Experts said an elaborate network of interconnected routers and servers can make the Internet tailor-made for the shadowy work of spying and counterspying. It stands to reason, they said, that adversaries would be interested in finding vulnerabilities in the networks of the companies that authorize surveillance on behalf of the government.

“It is an absolute rule of thumb that the best counterintelligence tool isn’t defensive — it’s offensive. It’s penetrating the other service,” said Michael V. Hayden, a former director of the National Security Agency and the CIA, who said he had no knowledge of the incidents. Hacking into a surveillance database, he said, “is a form of that.”

Google’s crisis began in December 2009, when, several former government officials said, the firm discovered that Chinese hackers had penetrated its corporate networks through “spear phishing” — a technique in which an employee was effectively deceived into clicking a bogus link that downloads a malicious program. The hackers had been rooting around insider Google’s servers for at least a year.

Alarmed by the scope and audacity of the breach, the company went public with the news in January 2010, becoming the first U.S. firm to voluntarily disclose an intrusion that originated in China. In a blog post, Google chief legal officer David Drummond said hackers stole the source code that powers Google’s vaunted search engine and also targeted the e-mail accounts of activists critical of China’s human rights abuses.

As Google was responding to the breach, its technicians made another startling discovery: its database with years of information on surveillance orders had been hacked. The database included information on thousands of orders issued by judges around the country to law enforcement agents seeking to monitor suspects’ e-mails.

The most sensitive orders, however, came from a federal court that approves surveillance of foreign targets such as spies, diplomats, suspected terrorists and agents of other governments. Those orders, issued under the Foreign Intelligence Surveillance Act, are classified.

Google did not disclose that breach publicly, but soon after detecting it, the company alerted the FBI, former officials said. Bureau officials told FBI Director Robert S. Mueller III, who briefed President Obama.

At one point, an FBI supervisory agent working on Chinese cyberespionage cases traveled to Google’s Mountain View, Calif., headquarters to conduct a national security investigation, the former officials said. The company, without any guarantees about the scope of the investigation, denied access.

The bureau undertook an extensive assessment to include determining whether individuals under surveillance had moved to other means of communication. Although the assessment showed no damage to national security because of the breach, Google took steps to shield sensitive data.

Michael M. DuBose, former chief of the Justice Department’s Computer Crime and Intellectual Property Section, declined to comment on either the Microsoft or Google cases. But, he said, in general such intrusions serve as “a wake-up call for the government that the overall security and effectiveness of lawful interception and undercover operations is dependent in large part on security standards in the private sector.